Most companies do not have a process for assessing third-parties’ security capabilities before they do business with them

The focus on stealing personally identifiable information via third-party systems continues to plague companies and these systems are a key way in for cyber criminals.

Perhaps the most infamous of these incidents was the Target data breach in 2013. The attackers compromised Target’s HVAC contractor to gain entry to their point-of-sale (POS) environment, from which they stole 110 million customer credit card details.

Third-party security: An emerging problem

While most companies are still grappling with securing their own networks, data, and users, preventing against attacks that target business partners or incorporate previously stolen information adds a new layer of complexity to the equation.

Smaller organizations are often the bigger risk

Increasingly, smaller organizations are becoming targets as a way to reach the sensitive data of larger businesses.

Many small businesses do not have the budget, resources, or internal knowledge to implement effective cybersecurity measures, hence they’re victimized.

It’s important for any organization to document their supplier management security policy so that both sides know the score.

Writing a supplier management security policy

Your suppliers should be treated as an extension of your ISMS (information security management system).

You need to document your relationship to include the information assets within your own scope. It must cover the storage, transmission, and processing of information, even where the information is encrypted. You must also decide who is responsible for the relationship and who will oversee the supplier implementing and maintaining the security controls.

ISO 27001 is the internationally recognized cybersecurity standard against which organizations can achieve certification, proving their commitment to information security to stakeholders and customers.